@DL6ER already explained to me:
'quote'
Security: IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets.
'/quote'
The question: Is the message 'An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all' a real thing?
I Don't understand the relationship between 'loading web pages' and 'ICMP'.
As far as I know, I don't need ICMP outside my local network, never used it, probably never will...
ICMPv6 is the traffic flow messenger, so things like needing to back down a packet size, reroute to a new location, throttle for congestion, all that is handled by the ICMPv6 structure. It's a secure model and you can either filter for certain messages if you want to, or just allow it to pass unimpeded to the end host.
It's safe to just let ICMPv6 have bidirectional communication. It's meant for the hosts to negotiate best path/best effort for traffic instead of the traditional ICMPv4 model that was primarily between routers and handled on the border of network segments.
That test is sending ICMPv6 messages to your host and expecting a reply with confirmation, it's not getting that so it shows the filtered error. I'm not on a node at the moment with IPv6 enabled or I'd show you what the different setups result in.
I can successfully ping the LAN adapter (on the firewall), the DNS adapter (other subnet on the firewall), the WAN adapter and even www.google.be. they all produce an IPv6 result, so that looks good.
When I run the test again, I get the same result (message)
The firewall says:
interface: LAN
source: [the temporary IPv6 address on this windows 10]:1050
destination: [2001:41d0:8:e8ad::1]:8080
protocol: TCP:S
The ICMP firewall rule allows both source and destination
Does port 8080 have anything to do with ICMPv6? Not according to this site, unless of course I don't understand this (again - happens a lot lately)
No, port 8080 would have no bearing on it. ICMPv6 is more than just ping, there's a lot more to it and starting to go out of scope for what we would be able to provide support for.
ICMPv6 any subtype, allow from 'any' to 'any' (floating rule that applies to all subnets with an IPv6 interface', including the WAN)
IPv6 any protocol, allow from 'interfaces with an IPv6 address' to 'any' (floating rule that applies to all subnets with an IPv6 interface, NOT including WAN). This seems to be necessary to allow traffic from the 'temporary IPv6 address' on the windows 10 machine. As soon as I limit this, the test fails again.
an IPv6 interface, as mentioned above (twice) is a LAN interface with the IPv6 setting 'track interface' (tracks the WAN).
Experts, witch I'm not, can see this this is a pfsense firewall...
